Sharing Security for Developers Industrywide

REDMOND, Wash., Sept. 16, 2008 — As operating systems become more secure, attacks are evolving and moving “up the stack” into the application layer. As a result, customers are looking to the industry for security solutions and putting pressure on independent software vendors, Web services providers and original equipment manufacturers to adopt secure development practices and educate their developers on secure coding.

Steve Lipner’s group is working to share secure development practices and tools with customers and partners.

Microsoft created the Security Development Lifecycle (SDL) in 2004, significantly improving the security, privacy and reliability of the company’s software. Now, Microsoft is working to share what it’s learned as part of the company’s commitment to create a more trusted computing experience for everyone.

As part of that effort, Microsoft today announced its plans to deliver three new programs and tools this fall — the SDL Optimization Model, the SDL Pro Network, and the Microsoft SDL Threat Modeling Tool — that will enable the industry to create more secure and privacy-enhanced technology for an online world.

To learn more about these new initiatives, PressPass spoke with Steve Lipner, senior director of security engineering strategy in Microsoft’s Trustworthy Computing Group.

PressPass: Let’s talk more about the three announcements made today, starting with the Microsoft SDL Optimization Model. What’s this program all about?

Lipner: The Microsoft SDL Optimization Model was created to facilitate consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. It allows development managers and IT policy-makers to assess the state of their secure software development practices and to create a vision and road map for reducing customer risk. In November, we will make the model freely available via a download on MSDN.

PressPass: Why did your team decide to make this available to the industry at large?

Lipner: Microsoft is committed to protecting customers and enabling a more trusted computing experience. One of the ways we reach this goal is by sharing our security and privacy expertise, guidance, technology and processes with the industry. The Microsoft SDL Optimization Model speaks to our efforts in this area. We wanted to enable organizations outside of Microsoft to create more secure and privacy-enhanced software by implementing the SDL — a process that’s proved successful within Microsoft. We felt it was important to provide organizations with a way to self-assess their current software development security practices and create a strategy for improvement.

PressPass: What are the benefits of the model?

Lipner: There are two primary benefits of the SDL Optimization Model. First, it helps organizations assess the maturity of their practices for building secure software. As a result, they will understand how they compare to industry norms and customer expectations. Second, the SDL Optimization Model helps organizations identify specific gaps in their security development practices and, in turn, make specific plans for improvements that will bring their practices to a consistent and well-understood level.

PressPass: Let’s move on to the next program you’ve announced — the SDL Pro Network. Can you tell us about that?

Lipner: We created the SDL Pro Network, which combines guidance and SDL best practices with the expertise of security service providers, to address the challenges developers are facing with attacks moving up the stack and into the application layer. The one-year pilot phase will begin in November. The SDL Pro Network is part of Microsoft’s commitment to enable organizations outside the company to develop more secure applications through SDL technologies, prescriptive guidance and industry partnerships.

PressPass: Who are the Pro Network members and what will they do?

Lipner: SDL Pro Network members are security consultants and trainers from the United States and Europe that specialize in application security and have substantial experience and expertise with the practices and technologies of the Microsoft SDL. Specifically, the one-year pilot consists of nine member companies. You can view the list of Pro Network members by visiting the SDL portal.

PressPass: What exactly will these member companies do?

Lipner: The services offered by members closely follow the processes of SDL, and were designed to span the entire life cycle and make security and privacy an integral part of how software is developed. Specific offerings fall into the following areas:

Training, policy and process development, including security training and general counsel on how to implement the SDL

Implementation, including use of safe APIs, code security analysis and code review

Verification, including fuzz testing, and Web application scanning

Release and response, including Final Security Review (FSR), penetration testing, and response planning and execution

PressPass: Can anyone join?

Lipner: Because the SDL Pro Network will soon begin its pilot year, membership is limited. However, over the next year, Microsoft and the member companies will evaluate how to best expand the program to others in the industry. For updates, you can visit the SDL portal.

PressPass: Can you tell us about the threat modeling tool Microsoft will be releasing in November?

Lipner: We’re all really excited that we will make our own internal threat modeling tool, the Microsoft SDL Threat Modeling Tool 3.0, freely available to all software developers in November.

The tool allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. Most importantly, it offers a threat modeling methodology that any software architect can lead effectively, in contrast with other processes, which are more dependent on security experts.

PressPass: Is there anything new and innovative about the Microsoft SDL Threat Modeling Tool?

Lipner: The tool will offer a number of new, pioneering features, including guidance and feedback on drawing the data flow diagrams that underlie threat models, guided analysis of threats and mitigations, bug-tracking system integration, and recommendations for fuzz testing in the verification phase.

PressPass: Aside from the ease of use, how does this tool differ from other threat modeling tools and approaches out there?

Lipner: The Microsoft SDL Threat Modeling Tool really does have a unique methodology. First, many threat modeling approaches center on assets or attackers. In contrast, our approach to threat modeling is centered on the software. This new tool builds on activities that all software developers and architects are familiar with, such as drawing diagrams of their software architecture.

Second, it’s focused on design analysis. The term “threat modeling” can refer to either security requirements elicitation techniques or design analysis. Sometimes, it refers to a complex blend of the two. The Microsoft SDL approach to threat modeling is a focused design analysis technique. We think this tool will help a lot of developers build more secure software.

PressPass: Is this all that they need to do to secure their software?

Lipner: Although that would be nice, threat modeling is only one element of more secure development. Security in the design phase — the phase of software development that threat modeling falls into — is only one part of the SDL. To create more secure software, threat modeling must be complemented with security activities in other phases, including implementation and verification. The Microsoft SDL integrates security activities in all of these phases.

Sidebar: New SDL Programs in Detail

Microsoft will release three new programs in November to share security best practices broadly with the industry. Based on the company’s Security Development Lifecycle, the programs are as follows:

SDL Optimization Model. The Optimization Model facilitates implementation of the SDL in development organizations outside of Microsoft. The model, which will be freely available for download, is based on the Microsoft IT Infrastructure and Application Platform Optimization models, which focus on leveraging IT as a driver of business value.

SDL Pro Network. The Network is a group of nine industry-leading consultancies that specialize in application security and have been specially trained by Microsoft. These providers will guide and support organizations in implementing the SDL in their environments. Currently in its build-out phase, the one-year pilot of the program will begin in November.

Microsoft SDL Threat Modeling Tool. This tool allows for structured analysis, tracking and mitigation of potential security and privacy issues, based on a methodology that any software architect can lead effectively. The tool has been used extensively within Microsoft, and will become freely available in November via the MSDN Download Center. More information about the tool, including a short demonstration, can be found on the SDL portal.